Framework · ISO/IEC 27001:2022

Run your ISO 27001 ISMS.
Prove it on demand.

01GRC gives you the operating system of an ISO/IEC 27001:2022 Information Security Management System — risk assessment, Statement of Applicability, control testing, internal audit, management review and corrective action — with the evidence trail an auditor expects to see, out of the box.

Request a demo Back to platform

All 93 Annex A:2022 controls · Statement of Applicability · built by GRC practitioners

app.01grc.com/frameworks/iso-27001

96% ▲ 3.4% this quarter

Organizational · A.5 97%

People · A.6 94%

Physical · A.7 95%

Technological · A.8 93%

Statement of Applicability draft generated & approved

Management review cl. 9.3 due this quarter

Why 01GRC for ISO 27001

Operate the ISMS — don't just document it.

Every claim here maps to a real feature, and we keep an honest line between the ISMS processes 01GRC runs and the Annex A controls it assures.

Built around your business, not a clause list

Your departments, processes, assets, data flows and vendors are the model, ISO 27001 plugs into it. Every risk reads as a business risk and every control as a business safeguard.

Operate, don't just document

Risk, treatment, SoA, control tests, audits, management review and corrective actions are live workflows — not spreadsheets bolted to a wiki.

Audit-ready by default

Activity logging, immutable management-review sign-offs, encrypted and virus-scanned evidence, and explainable control applicability mean you can answer "show me" instantly.

Honest about scope

01GRC assures your Annex A controls and runs your ISMS processes. We tell you plainly which controls you implement and which the platform performs — no surprises in the audit room.

Clauses 4–10

Operate your ISMS.

Where ISO 27001 asks for a process, 01GRC gives you a working feature.

ISO 27001 requirement

What 01GRC delivers

Risk assessment & treatment Cl. 6.1

A repeatable risk process: threats, vulnerabilities, inherent-versus-residual scoring and named risk levels, with every risk tied to the assets and business processes it affects. Treatment plans link to controls, carry tasks and evidence, and run on a recurring review cadence.

Statement of Applicability Cl. 6.1.3

Generate an ISO 27001 Statement of Applicability draft directly from your control-applicability baseline and current rollout status — then review, justify and approve it. The hard part (the baseline) is done for you, the ownership stays yours.

Information security policy & documented information Cl. 5.2, 7.5

Full document control: versions, scheduled review cycles, approval, retention and access control. Publish policies and drive read-and-understood acknowledgement campaigns with reminders.

Competence & awareness Cl. 7.2, 7.3

A built-in Learning module — courses, materials, quizzes, schedules and completion tracking — so you can assign, deliver and evidence security training and awareness.

Monitoring & measurement Cl. 9.1

Control tests with steps and KPIs, a control-effectiveness history, compliance reviews, and a live compliance dashboard showing criteria coverage and control posture across the organisation.

Internal audit Cl. 9.2

Plan and run internal audits end to end: audit programs, audit workflow, team management, external auditor invites, findings and audit reports.

Management review Cl. 9.3

Periodic top-management review with snapshotted metrics and an immutable attestation sign-off — a defensible record of what leadership reviewed and when.

Improvement & corrective action Cl. 10

Turn findings into tracked corrective actions with a full status lifecycle, and watch closure trends on the dashboard for continual improvement.

Annex A:2022

Assure every Annex A control — all 93.

Register → declare applicability (SoA) → assign an owner → record implementation status → test effectiveness → attach evidence → govern exemptions, with approver and expiry.

Organizational · A.5

People · A.6

Physical · A.7

Technological · A.8

Explainable applicability

A baseline scoping engine proposes which controls apply to each asset and explains why, per asset — so "how did this control get in scope?" is never an argument.

Effectiveness over time

Every control test writes to an effectiveness history, so you can show not just that a control exists, but that it works and keeps working.

Native controls

Controls 01GRC performs for you.

Beyond assurance, the platform performs a number of Annex A controls as real features.

01GRC performs natively

What it does

Asset inventory & information classification A.5.9, A.5.12

A live inventory of assets and information with CIA classification, owners and criticality.

Supplier & ICT supply-chain risk management A.5.19–A.5.23

Vendor register, questionnaires, derived criticality and subcontractor mapping.

Incident management & event reporting A.5.24–A.5.28, A.6.8

State-machine lifecycle, typed activity timeline and MTTD/MTTR dashboards.

Business continuity & ICT readiness A.5.29–A.5.30

BIA-driven impact analysis and resilience exercises evidenced against recovery targets.

Security awareness & training A.6.3

The Learning module — assign, deliver and evidence awareness training.

Honest scope

What you implement, what 01GRC assures.

We are deliberately clear about this, because your auditor will be too.

You implement in your environment

01GRC gives you

Technical controls — access control, cryptography, malware protection, logging, network security, secure development, backup

The register, applicability/SoA, ownership, effectiveness testing and evidence for each one.

Physical controls — perimeters, entry, monitoring, equipment

The same full assurance lifecycle and audit trail.

People controls — screening, disciplinary process, confidentiality agreements

Policy management, awareness training, and evidence tracking.

01GRC is the system of record and assurance for your ISMS. It does not replace your firewalls, identity provider or physical security — it proves they are in place, applicable, tested and effective.

Platform

Capabilities that make ISO 27001 easier.

Business-first object graph

Department → Process → Asset → Data Flow → Vendor, with dependency mapping and derived process/vendor criticality.

Immutable evidence

Activity logging on every entity, snapshotted management-review sign-offs, encrypted and virus-scanned attachments, soft deletes by default.

Exemption governance

Request/approve/expire workflow with justification and a conversation thread, including the residual risk of the exemption itself.

Role-based access & multi-tenancy

Granular permissions enforced through policies, every record strictly scoped to its organisation, MFA, session controls and IP blocklisting.

Global search

Find any record or action across modules, permission-aware, with quick actions.

Deploy anywhere

Self-contained with no external dependencies — deploy on-premises, in your private cloud, or fully air-gapped.

Who it's for

One ISMS, every stakeholder.

CISO / Risk Officer

Organisation-wide risk posture, treatment plans, exemption governance, and a single line of sight from risk to affected business.

Compliance Manager

Statement of Applicability, control tests, compliance reviews, gap analysis, audit programs and document campaigns.

Internal Auditor

Audit programs, findings, corrective actions, and explainable control applicability, tokenised external-auditor access scoped to specific audits.

Executive / Board

Management-review dashboard with KPI cards and immutable sign-off records.

01GRC operates and evidences your Information Security Management System and manages your control framework, including a Statement of Applicability and effectiveness testing across all 93 Annex A controls. Technical, physical and people controls are implemented in your own environment, 01GRC is where you scope, assess, test and prove them. ISO/IEC 27001 certification is awarded to your organisation by an accredited certification body — 01GRC helps you get there and stay there.

More frameworks

One platform, every standard you answer to.

ISO 27001 is one of several frameworks built in — and you can add your own. More framework guides are on the way.

See your ISO 27001 ISMS
the way it should look.

Book a personalised walkthrough — we'll demo risk, the Statement of Applicability, control testing, internal audit and management review on data shaped like yours.

Request a demo